Overview:
Single Sign-on, or SSO, is one of the most popular solutions for enterprise business integration at the moment.
The definition of SSO is that in multiple application systems, users can access all trusted applications with only one login.
A more popular definition of SSO is that SSO refers to the same user who accesses a protected resource in a different application in the same server and only needs to log in once, that is, after security authentication in one app, and then access to protected resources in other apps, no re-login verification is required.
Why single sign-on is required:
With the development of enterprises, the number of business systems is constantly increasing, the old system can not be easily replaced, which will bring a lot of overhead. One is the overhead of management and the increasing number of systems that need to be maintained. The data of many systems is redundant and duplicated, and the inconsistency of data will put a lot of pressure on the management work.
Enterprise Application integration (EAI, enterprise application integration). Enterprise application integration can be carried out at different levels: "Data centralization" at the data storage level, "Common data exchange Platform" at the transport level, "business process integration" at the application level, and "Common Enterprise Portal" on the user interface, etc. In fact, there is also a level of integration becomes more and more important, that is, "Identity authentication" integration, that is, "single sign-on."
When there is no single sign-on, system integration is:
Single Sign-on mechanism:
When the user logs on to system A for the first time, it will be directed to the authentication system for login;
The authentication system is authenticated based on the login information provided by the user. If the validation is successful, the user is returned with a certificate of authentication (ticket);
When the user accesses system B again, the ticket will be taken as the credentials of their own authentication. System B will send this ticket to the authentication system for verification and check the legality of ticket;
If the authentication is passed, the user can enter system B without having to log in again.
Simple Single sign-on should have the content:
All application systems share an identity authentication system.
A unified authentication system is one of the prerequisites for SSO. The main function of the authentication system is to compare the user's login information with the user database, to authenticate the users, and after the successful authentication, the authentication system should generate a unified certification mark (ticket) and return it to the user. In addition, the certification system should be ticket to determine its effectiveness.
All application systems are able to identify and extract ticket information.
To enable SSO functionality so that users log on only once, the application must be able to identify the users who have already logged in. Application system should be able to identify and extract the ticket, through the communication with the authentication system, can automatically determine whether the current user has logged in, thus completing the single sign-on function.
Single Sign-on issues to note:
A single database of user information is not required.
There are many systems that cannot store all the user information centrally, and should allow user information to be placed in different stores. In fact, as long as the unified authentication system, unified ticket production and validation, no matter where the user information is stored, can achieve single sign-on.
A unified authentication system does not say that there is only a single authentication server.
The entire system can have more than two authentication servers, these servers can even be different products. Authentication server through the standard communication protocol, mutual exchange of authentication information, you can complete a higher level of single sign-on. As shown in the figure below, when the user accesses the application System 1 o'clock, the first authentication server is authenticated, and the ticket generated by this server is obtained. When he accesses the application System 4, authentication server 2 can recognize that this ticket is generated by the first server, through the authentication server between the standard communication protocol (such as SAML) to Exchange authentication information, still can complete the function of SSO.
Benefits of Single Sign-on:
User-Friendly
When users use the application system, they can log in once and use it multiple times. Users no longer need to enter the user name and user password each time, nor do they need to remember multiple user names and user passwords. The single sign-on platform improves user experience with the application system.
Convenient Administrator
System administrators only need to maintain a uniform set of user accounts, convenient and simple. In contrast, system administrators previously needed to manage many sets of user accounts. Each application system has a set of user accounts, not only to bring inconvenience to management, but also prone to management vulnerabilities.
Simplify application development
When developing a new application system, you can simplify the development process by directly using the user authentication service of the single sign-on platform. The single sign-on platform enables single sign-on by providing a unified authentication platform. Therefore, the application system does not need to develop the user authentication program.
Single Sign-on classification:
Single sign-on across subdomains
The so-called cross-subdomain single sign-on is that a, B, and P sites are located under the same domain. For example: A site for the Http://www.baidu.com,B site for the Http://tieba.itcast.com,P site for http://fangi.itcast.com.
Full cross-domain single sign-on
The so-called fully cross-domain single sign-on, that is, a, B sites do not have a common parent domain, but can still share logins. For example: A site for the Http://www.baidu.cn,B site for http://www.sina.cn.
How to implement Single sign-on:
cookie-based implementation
There are several points to note: If the method of passing SessionID based on two domain names may be established in Windows, problems may occur in Unix&linux, can be based on database implementations, and may be considered more secure. In addition, with regard to cross-domain issues, although cookies are not cross-domain, they can be used to enable cross-domain SSO.
Broker-based (based on broker)
The broker-based SSO system uses a centralized authentication and user account Management Server, and the authentication server plays the role of broker. When a user accesses an application server, it authenticates the broker proactively, then carries the ticket license to the authorization server to obtain the service ticket, the user carries the service ticket to request the application server, and the final application server validates the service ticket before providing a response service.
Agent-based (Agent-based)
The agent-based SSO system has an agent for identity authentication, and when a user logs on to the server, the agent logs its password and sends it to the other integrated system instead of the user to log in.
Token-based
Now widely used password authentication, such as FTP, mail server login authentication, this is an easy-to-use way to implement a password in a variety of applications.
Gateway-based
The gateway can be a firewall, or it can be a server dedicated to communication encryption. Servers that require single sign-on are placed within a secure network segment that is isolated from the gateway. The client obtains the service authorization after authentication.
Security Assertion Markup Language (SAML)-based implementation
The advent of SAML (Security assertion Markup Language, secure Assertion Markup Language) greatly simplifies SSO and is approved by Oasis as the execution standard for SSO. Open source organization Opensaml implements the SAML specification and can refer to http://www.opensaml.org.
Follow-up will continue to upload the demo source.